SMEs Forced To Live With New Normal Of Cyberattacks


The price tag attached to a data breach on a small business has increased this year, according to new analysis from IBM and Ponemon Institute. With their newly released “2016 Cost of Data Breach: Canada” report, the firms examined the financial impact of data breaches on 24 companies in Canada to assess the damage.

In the context of separate research that found SMEs in the U.S. are dreadfully unprepared for a cyberattack, IBM and Ponemon’s report is an alarming reminder that the cyberthreat for small businesses in North America is on the rise and likely to continue growing without efforts to stunt the expansion.

A deeper look into the report uncovers how the financial impact of a cyberattack on a small business hits the company from all angles. According to the data, the cost of the average data breach on a Canadian SME increased from $250 to $278 compared to 2015 analysis. But researchers also agree that there persists a “megatrend” among SMEs across the globe getting hit with cyberattacks: The cost of a data breach can appear in the cost burden on SMEs to resolve the breach, as well as the cost of lost business following the incident.

“Organizations recognize that the longer it takes to detect and contain a data breach, the more costly it becomes to resolve,” concluded IBM and Ponemon. As a result, researchers concluded, businesses are likely upping their investment in prevention and detection measures via integration of in-house technologies and expertise.

But the report also found that, in examining the data over the span of several years, it appears that the cost of a data breach is “a permanent cost” that now needs to be recognized as companies develop their budgets and security strategies.

In a reaction to IBM and Ponemon’s report, Kevin Pollack, SVP at information security firm Shred-it, said it’s understandable why small businesses would be reluctant to invest in cybersecurity measures, especially as the cost of those efforts seems to be rising.

“It’s easy to understand that smaller-sized businesses try to minimize costs until they begin to get off the ground and gain momentum,” the executive stated. “At the same time, any financial savings gained from reducing costs in certain areas, like information security, will be easily surpassed in costs and reputational damage related to a breach.”


Who’s At Risk?

According to IBM And Ponemon researchers, certain industries are particularly at risk when it comes to data breaches.

The services, financial and energy spaces report higher average costs of data breaches than their peers in other sectors, the report found. The reasons behind cyberattacks also shape into a troubling picture for companies, with the majority of attacks the cause of intentional, malicious or criminal attacks on a company. About one-fifth were caused by glitches in a company’s system, while a quarter were the result of human error.

For businesses that experience malicious cyberattacks, the cost of that data breach is significantly higher than the mean, topping $304 per attack.

It may seem like a minimal cost for a company, but the figures add up.

The report found a collective financial loss of $7.16 million for businesses with between 25,000 and 50,000 records exposed by the cyberattack. The cost to companies even after an attack is resolved can be massive due to customer abandonment. The report found $7.13 million in losses for companies that experienced an average churn rate of 3–4 percent.

With such a high financial burden, the cost of implementing preventative cybersecurity measures seems like a drop in the bucket. According to IBM and Ponemon, these investments indeed do decrease the ultimate financial burden of a data breach.

“Certain factors reduced the cost of data breach,” the report found. “Incident response teams and plans, extensive use of encryption, employee training programs, board-level involvement or participation in threat sharing decreased the per capita cost.”

Shred-it’s Pollack agreed.

“The cost of implementing training on information security protocols and procedures is a small price to pay in comparison with the costs of regulatory fines, litigation, fraud and, most importantly, damage to reputation that can result from a data breach,” he said.